Signup security.

[Mike1158]

Pardon my ignorance but I thought the system was supposed to recognise double entry or multiple use of an ip or e-mail address etc, thus reducing the amount of accounts set up by one particular person/spammer/bot.

I have lost count of the number of times I have found a bot or spammer signing up with multiple accounts from the same location/e-mail etc.  Anyone have any clues how to deal with this?

[Shambles]

Are you sure the email address was duplicated exactly? What version of SMF are we discussing here?

The system should not allow more than one use of an email address.

I have seen (and occasionally made use of  ) the Gmail system's "flexibility" when it comes to ignoring the "." in the prenodal name, eg shamble.s, sham.bles, s.hambles, s.h.ambles (etc) all belong to the same gmail account, but would be treated as separate addresses for signup purposes.

As for reusing an IP address, prohibiting that wouldn't be a good idea. What if several members of the same family were using your forum at the same time? If they shared the same router they would undoubtedly share the same public IP address.

[Mike1158]

No!, not certain, after all I posted that because I don't think about stuff.  Perlease.

I am not talking about banning IP willy nilly, only when they are found to be a spammer or bot of some description.  Multiple user accounts in a family do not happen either, it is just not in the nautural for users of the software concerned.

Software is v2.02.

[Mike1158]

NB.  If the banning of an IP address is so dodgy an action, why allow it at all?  For baning bots and spammers as far as I can see.......

[Shambles]

NB.  If the banning of an IP address is so dodgy an action, why allow it at all?

It's not dodgy. What you suggested is dodgy...

... the system was supposed to recognise ... multiple use of an ip

On my forum I can click any one of the IP addresses currently being used and could get half a dozen "recently used by members.." being reported. Ie, IP addresses do get reused, so SMF cannot possibly be expected to isolate and bar repeat occurrences thereof.

[Mike1158]

I do not think you are firing on all cylinders today, I suggested banning an ip is allowed for by the system and this is something you yourself suggest is not dodgy, but my suggesting it is?

Again I see you miss the validity of the point with your second sentence that ip are re-used and therefor cannot be banned.  Why have a ban function if it cannot be facilitated?

Anyone out there awake today?

[emanuele]

Guys take a break and breath please.

Banning an IP is legit (I have many banned, but *I* added the IP to the list, it's my own will).
Automatically block registrations from the same IP is not legit.
Reasons:
1) the same (public) IP can be shared by multiple members (for example a company can have a single IP facing the outside world and many internal IPs, so all the employees would have the same IP),
2) the same IP can be shared by multiple members (yes twice) because for example here in Italy the IPs are dynamic, so today I have an IP, tomorrow I have another one and mine is used by someone else,
3) different IPs may be used by the same person (the opposite of 2)

For these reasons and for others "blocking" the IP that a member used to register is meaningless.

It *could* be useful to prevent the same IP to register multiple times in a small timeframe, and that is something SMF already does (at the moment I don't remember the exact numbers, but it should be something like 5 minutes or half an hour). In that period of time other members from the same IP cannot register.

Regarding the email yes, there is the issue of gmail...
Oldiesmann opened a feature request here: https://github.com/SimpleMachines/SMF2.1/issues/240 to find an appropriate solution. It needs coding anyway.

[Shambles]

Anyone out there awake today?

Obviously not me 


Bye.

[Mike1158]

The point I tried to ask about is that the banning of ip is in the banning system and yet it appears not to work hence a fail of the ban system because the same ip etc has occured and has been banned.  As in during the same session.

[emanuele]

Well, that's not what you wrote in the first post (and neither in the successive until now).

Okay, so let's try to make it clear: you have an IP in the ban list and that IP is still able to register.
Is that he issue?
Can you tell us what is the exact ban trigger? (i.e. 123.1.1-123.* or an exact IP or what)

[Mike1158]

Actually it is what I wrote, perhaps it is not wot u red.

My second post even shows this in an attachment.  Thanks.

[emanuele]

Sorry but not:

Pardon my ignorance but I thought the system was supposed to recognise double entry or multiple use of an ip or e-mail address etc, thus reducing the amount of accounts set up by one particular person/spammer/bot.

I have lost count of the number of times I have found a bot or spammer signing up with multiple accounts from the same location/e-mail etc.  Anyone have any clues how to deal with this?

What you say here (at least what me (and most likely Shambles™) understood is:
* from the first paragraph: SMF should recognise when a user register with a certain name, email, IP and not allow other registrations with the same name, or email, or IP.
* from the second: that spambots sing up with multiple accounts
Nowhere you said you banned something.

In the attachment of your second post you show the error message you get when you add an IP to a ban, yes, but TBH I was not sure how to relate it to your first that was sying apparently something completely different.

Case closed, my fault.

Can you please report *exactly* the details all the ban triggers in the ban "Ecollottarfaw"? (and the ban itself)

[Mike1158]

Like I asked in the PM, please remove the account, I will not be using it.

[Tomy Tran]

...
Regarding the email yes, there is the issue of gmail...
Oldiesmann opened a feature request here: https://github.com/SimpleMachines/SMF2.1/issues/240 to find an appropriate solution. It needs coding anyway.

I have learnt Pascal coding theory. Base on this case, we should build a seperate plugin, on that, it will check in registering process only and at point after of  checking valid email address then check a part of @gmail.com (supposed if gmail.com only, no more gmail.ca, gmail.us,... ). If YES, check with current @gmail.com addresses in condition: ( remove all "." in ID). This is plugin so we can then fill in more like gmail.ca,  - for hotmail.com, - for outlook.com or _ for yahoo.com etc in the future.

Back to my issue, many spamers registered with the same IP. This may conflict if a family enjoy our forum so I don't want to block them on registering, but their acc will be waited to active by mod or admin. Other solution if common registering process but have plugin to check on all members with the same IP only, so we can see on usernames e.x. can find out a clue of spam potential Ex: tomytran123, tomytran124, tomytran567, and same date same time (14:01, 14:13 etc) registering.

[Arantor]

I have learnt Pascal coding theory

Not being funny but how is that relevant here?

Seriously, this is not actually hard to do in itself, however it cannot be done the way SMF handles bans. You'd have to totally re-engineer the ban system to do it properly. I should know, I already did it once. (I'd add a screenshot of what I built, but attachments are not permitted in this board for some reason)

Mind you the entire ban system could do with an overhaul anyway. The way it implements IPv6 (as of 2.1) is somewhat farcical and a serious performance issue.

[Tomy Tran]

I mean I am good at algorithms and my idea might be good to use for some one finding solution to develop this plugin.

[Arantor]

Sorry but understanding a given computer theory does not actually make this process any easier. I'm not talking about theoretical implementation, I have already *done* this before in an SMF derivative product.